Re: [PEN-TEST] Non-routable IP weaknesses?

[batz <batsy () VAPOUR NET>]

On Wed, 20 Dec 2000, Thomas Reinke wrote:

:Anyone know of anything "interesting" that one could do once
:one had determined that a customer, protected by a NAT based device,
:had specific non-routable IPs active (e.g. 10.x.x.x, 172.16-31.x.x
:and 192.168.x.x addresses)

Compromise their router and set up a tunnel from it to you using
a small netblock carved out of their space so that you seem local.

See if you can source route packets into their network. (probably not,
but try it)

Also depending on how many hops you are away, you might be able to get
some of their address space routed outside their NAT device using rip
or ospf so that you can start scanning the hosts directly.

Otherwise, your options are pretty much limited to blind spoofing (have fun)
and blind snmp-sets on devices you have no idea if they are running snmp.

I've often come across peoples internal addresses due to misconfigured
proxies, weird NAT'isms that respond to icmp from the internal addresses
(proxy arp on ketamine or something) and particularly IIS giving
the Content-Location: in the http server header. Also, getting an arp
table from an snmp agent in the targets DMZ often yeilds internal addressing.

However, this information is mostly useless unless you are on a host within
a couple (8 actually) of hops of the NAT device, or sitting in front of
it on the DMZ.

This one often ends up listed under "Further recommendations" which
generally means that it's not a prudent configuration, not critical,
or would require such time/skill that I couldn't possibly exploit it
within the confines of the rules of engagement, but if someone was
truely elite, they could. Think Crouching Tiger, Hidden Dragon.



--
batz
Reluctant Ninja
Defective Technologies